Access Denied: Returning to a Domain's Default Permissions

The Dsacls command lets you configure AD permissions from the command line.

Randy Franklin Smith

January 17, 2005

1 Min Read
ITPro Today logo in a gray background | ITPro Today

We've royally messed up our permissions in Active Directory (AD). How can we get back to AD's default permissions and start again?

A Windows Support Tools command called Dsacls lets you configure AD permissions from the command line. The command

dsacls DC=Acme,DC=Com /S /T

would reset the permissions for the acme.com domain. The /S switch resets the specified object's permissions to the default ACL specified in AD's schema. The /T switch causes Dsacls to reset permissions for all the specified object's child objects. In other words, the Dsacls command with /S and /T will reset all permissions from the root of the specified domain down to the default permissions for each object's class to the value specified in the domain's schema. You can use Dsacls to modify an object's permissions any way you want—from adding or removing an access control entry (ACE) to replacing the ACE with permissions specified on the command line. For a full explanation of Dsacls parameters, type

dsacls /?

at the command prompt.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like